nmap - Why do I get closed responses when it should just assume closed

Darz
Darz used Ask the Experts™
on
I would expect to get responses like open and filtered, open|filtered even which are meaningful, but nmap gives me back a list of ports, some of which are marked 'closed' ... but the other ports which it does not give me back in the results are assumed closed also, so why do some get reported as 'closed' and some just left to be assumed closed.  Am I missing something? Is there another meaning to these returned as closed than the other ones which are just assumed to be closed?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The three common results you'll see from Nmap are:

FILTERED:  The scan attempted to reach a port that was blocked, typically by some type of firewall feature.

OPEN:  The scan attempted to reach a port running a service and the service was available.

CLOSED:  The scan attempted to reach a port running a service and the service was not available.

If you're scanning an internal system, then yes, most ports should be reported as CLOSED.  CLOSED is typically examined when auditing firewall configurations from the Internet to determine whether or not a firewall is configured correctly.  A firewall should only be configured to allow access to running services.  If you see a CLOSED port from the Internet, the hole exists in the firewall to allow traffic for a service that does not exist.  These other ports could be used by malicious parties to compromise your network.

Hope this helps...

Mike

Author

Commented:
Hi, thanks for this, I was getting confused because I had in my head that all ports for which no response was given is considered closed, and I wasn't sure of my definition of closed either.  I just checked and yea, the remaining ports may be open, closed or unfiltered.

One last thing though I still haven't got straight ... a couple of the scan types (window and maimon) for a machine I just tested there are giving me back a few 'filtered' and 'open|filtered' results respectively and saying that the remaining ports are 'closed' ... so under your definition of closed, there are 995 ports which allow access to them but have nothing running there, that's fine, so these scans would lead me to believe that at least 995 ports should be blocked at the firewall.  But then I go and do a SYN scan which reports 6xopen ports, 8xclosed and all remaining are said to be filtered!!
So I'm thinking this one of three things ... (a) nmap just doesn't know the difference sometimes depending on it's method of scanning (b) closed means something different depending on the scan type, like maybe for firewall related scans as opposed to ... ACK does say all remaining are 'unfiltered' and just lists the 5 'filtered' ones which is fair enough, but but then window, as above, seems to be contradicting the SYN scan result which says that all remaining ports are filtered (c) I'm totally confused :P

Author

Commented:
Cheers for that! I almost forgot to accept your answer. So there you go :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial